cbcvebase.
CVE-2018-7448
published 2018-02-26

CVE-2018-7448: Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code…

PriorityP258high7.5CVSS 3.0
AVNACHPRLUINSUCHIHAH
EXPLOIT
EPSS
13.25%
95.9th percentile
Remote code execution vulnerability in /cmsms-2.1.6-install.php/index.php in CMS Made Simple version 2.1.6 allows remote attackers to inject arbitrary PHP code via the "timezone" parameter in step 4 of a fresh installation procedure.

Affected

1 ranges
VendorProductVersion rangeFixed in
cmsmadesimplecms_made_simple

Detection & IOCsextracted from sources · hover to see the quote

path/cmsms-2.1.6-install.php/index.php
urlhttp://s3.amazonaws.com/cmsms/downloads/13570/cmsms-2.1.6-install.zip
path/cms/cmsms-2.1.6-install.php/index.php?mdf68c24c=4
commandtimezone=junk';echo%20system($_GET['cmd']);$junk='junk
path/config.php
filenameconfig.php
  • Monitor POST requests to the installer path containing 'mdf68c24c=4' query parameter, which indicates step 4 of the CMS Made Simple installation — the stage where the timezone injection occurs.
  • Detect PHP code injection patterns in the 'timezone' POST parameter, specifically sequences containing single-quote breaks followed by PHP function calls such as system(), echo, or $_GET references.
  • Alert on GET requests to config.php with a 'cmd' parameter, which indicates post-exploitation webshell access via the backdoored configuration file.
  • Flag any web-accessible cmsms-2.1.6-install.php file that remains present after installation; its continued accessibility is a prerequisite for exploitation.
  • Watch for filesystem permission changes to 777 on the web root or config.php, as the installer forces write permissions that enable the injection.
  • ·Exploitation requires a fresh (not yet completed) installation and valid database credentials; the vulnerability is not exploitable on already-installed instances unless the installer file is left accessible.
  • ·The injected payload persists in config.php on disk; remediation requires removing or sanitizing config.php in addition to patching, as the backdoor survives the installation process.
  • ·The vulnerability was fixed in version 2.2; any instance still running 2.1.6 with the installer file present is fully exploitable.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.